§ 26 FDPA constitutes a basis for processing of employment data. The new rule keeps more or less the framework of the current rules on processing of HR data. The processing of employee data is generally allowed if necessary for establishing, carrying out or terminating the employment relationship (NB: subject to interpretation based on existing case law and guidance of DPAs). The GDPAA maintains the current restrictions for investigations of criminal conduct and now expressly mentions operating or service agreements (collective agreement) and collective bargaining agreements as possible legal basis for a processing of HR data.
§ 26 FDPA also contains certain justifications for the use of special categories of employee data (""sensitive data"") and a definition of the term ""employee"". The GDPAA further provides clarification on consent, such as the circumstances when such consent is “freely given” in an employer-employee relationship. Legal and economic advantages are considered in this respect and in the reasoning of the GDPAA, for example, refers to the use of IT for private purposes or to receive health benefits. Under certain conditions, § 24(2) FDPA permits a change of purposes for sensitive data in HR context.
Employers are obliged to request an exhaustive list of data categories from job candidates and employees as set out in the Labour Code; if they want to collect more data directly from job candidates and employees, then consent is required, unless there is a special provision of law that entities to process this data (e.g. some criminal convictions of managing board members).
However, the processing of a candidate/employee's special categories of personal data by the (potential) employer on the basis of his/her explicit consent is not permitted unless such data is provided on the candidate/employee initiative. It is also prohibited in all circumstances to process a candidate/employee's personal data relating to criminal convictions and offences by the (potential) employer if such processing is based on his/her consent. The only basis for such processing is a legal obligation.
Employers may use (i) CCTV for the purpose of ensuring employees' security, protection of employer's property, production control, and information security; and (ii) monitor employees' emails for the purpose of ensuring the are appropriated for a work organization which allows for making full use of employees' working hours and appropriate usage of the working tools made available to them.
The controller must additionally ensure that its records of processing activities (under Article 30 of the GDPR):
The Data Protection Act 2018 restricts certain data subject rights, including subject access, with regard to employment references. For more information see 'Any other areas under discussion'.
(Paragraph 24 of Schedule 2 to the Data Protection Act 2018)
Enforced subject access
The Data Protection Act 2018 maintains the offence for requiring an individual to exercise their subject access rights to obtain a relevant record (largely relating to health, convictions and cautions, and statutory functions) as part of the recruitment or continued employment of that individual. For more information see 'Any other areas under discussion'.
(Section 177 of the Data Protection Act 2018)
Equal opportunity and treatment
The Data Protection Act 2018 allows employers, with certain restrictions, to consider ""specified"" categories of personal data (personal data revealing racial or ethnic origin, and religious or philosophical beliefs or personal data concerning health or an individual's sexual orientation) as part of equality of opportunity or treatment. Employers may also process data regarding racial and ethnic origin to promote and maintain diversity at senior levels of the organisation. For more information see 'Special rules for special categories of data'.
(Paragraphs 8 and 9 of Schedule 1 to the Data Protection Act 2018)